Chapter 8: Securing XML
Introduction
XML is a powerful technology for structuring data in a platform-independent, human-readable format. Documents in XML are easy to create and simple to parse. There are countless applications using XML in the connected, Web world as well as the offline world. Describing all the benefits of XML is beyond the scope of this chapter, but if you would like further details on XML, Amazon.com currently lists over 2,500 books on the subject.
For all of XML’s useful and important benefits, until recently it has come up short in the area of security. For example, XML previously had no specification to protect the privacy or integrity of data. Data contained in XML was vulnerable to viewing and modification by external parties without detection. To solve these security problems, developers had to use external, disparate technologies to protect their XML-contained data. The World Wide Web Consortium (W3C) addressed these concerns by leveraging the tools of encryption and digital certificates. XML now contains internal and standardized specifications to describe encrypted and signed data. You can now use encryption to protect the privacy and integrity of data contained in XML. Use the public and private keys of digital certificates to sign XML data. Signing XML data protects the integrity, authentication, and nonrepudiation of data. The XML encryption and digital signature specifications are clear and detailed about disclosing the algorithms, formats, and methods used to decrypt and validate signatures. Using these specifications, you can be confident that your data will not only be protected but also be useful to other applications that implement the specifications.